ATE Security & Compliance

Security and privacy are coded into ATE's DNA, so you can rest easy with a truly secure virtual event platform

Encryption

Data is entirely encrypted whether in transit or at rest using the industry-standard AES-256 encryption algorithm. Encryption is enforced via TLS to all data in transit. Only secure access (HTTPS) to the Reyes Definido Solutions (RDS) website and platform is allowed.

Access Management

Stringent access management controls are in place to grant authorized users the right to use a service while restricting access to unauthorized users. Reyes Definido Solutions (RDS) has implemented security policies across all systems (including APIs), platforms, applications, and devices to identify security violations, remove unauthorized access privileges, and revoke access if necessary. Role-based access controls and least privilege access controls are in place.

Backup and Disaster Recovery (DR)

Automated full-time backups are taken of the databases to mitigate the risk of losing customer data due to disk corruption. Periodic backup and restoration tests are performed to ensure easy and timely recovery of data. Disaster Recovery sites are set up to ensure minimal loss and support business continuity. Annual disaster recovery drills are conducted to ensure Reyes Definido Solutions can respond to disasters and emergencies that affect the information systems. Such drills help minimize the risk of a security mishap on business operations.

Cloud Computing Services & Security

Reyes Definido Solutions platform is powered by Amazon Web Services (AWS) for hosting and computing activities since AWS is the world’s most secure cloud platform. AWS maintains and demonstrates tons of compliance programs which are but not limited to SSAE-16 SOC 1, 2, and 3, ISO 27001, etc. Reyes Definido Solutions has segregated the production environment from the non-production environment both physically and logically to maintain the confidentiality, integrity, availability (CIA), and privacy of customer’s data.

Privacy by Design

Protecting the privacy of our customers is our highest priority. Reyes Definido Solution’s product is designed with privacy as a priority. Reyes Definido Solutions collects and processes PII data within the limits of the law and for business use cases agreed with the customers. All PII data is deleted once the purpose is fulfilled. We are ISO 27701:2019 certified organization. For further details, please refer to our privacy policy.

PII Data Protection

Reyes Definido Solutions platform is ISO 27701:2019 and ISO 27018:2019 certified. PII data is collected and processed within the limits of the law and for business use cases agreed with customers. All PII data is deleted once the purpose is fulfilled. Stringent security controls such as encryption, access controls, and multi-factor authentication are in place to protect PII data. PII data is not used for testing purposes.

Incident Management

Reyes Definido Solutions has defined an incident management policy to respond and resolve critical incidents. This involves a set of procedures and actions such as – how incidents are detected and communicated, who is responsible, what tools are used, and what steps are taken to resolve the incident.

Vulnerability Assessment & Penetration Testing (VAPT)

Reyes Definido Solutions (RDS) conducts rigorous periodic VAPT with leading independent security consulting firms to obtain a detailed view of the threats that might impact the security and privacy framework of RDS’s platform and various applications. It helps RDS to protect data and systems from malicious attacks, which may lead to any kind of data loss and unauthorized access to the systems.

User Authentication and Passwords

Users are authenticated with unique IDs and passwords that are protected by a strong encryption mechanism by using bcrypt. A strict password policy is implemented at Reyes Definido Solutions along with multi-factor authentication (MFA) to make the environment more secure.

DATA PROCESSING AGREEMENT

This Data Processing Addendum (hereinafter the “DPA” or “Addendum”) with its annexures and appendix is part of the Master Subscription Agreement (the “MSA”), the Terms of Use and any other agreement wherein ATE Technologies Inc. and its affiliates (“ATE”) have agreed to provide its Services (as defined below) to host and organize virtual hybrid event on ATE Platform (“Customer”) to reflect the parties agreement to Processing of the Customer Personal Data (“Customer Personal Data”).

1. Commencement

This DPA shall come into effect on the same date as the MSA (“Effective Date”). This Addendum shall form an integral part of the MSA. The Customer and ATE shall be each referred to as “Party” or collectively as “Parties”. In the event of a conflict between the terms and conditions of this Addendum, or the Agreement, an Order Form, or any other documentation, the terms and conditions of this Addendum shall prevail with respect to the subject matter of Processing of Customer Personal Data.

Security and Privacy are of utmost importance and are given the highest priority at African Trade Exhibition (ATE). We are committed to protect the confidentiality, integrity, availability, and privacy of our information systems and customer’s data through the implementation of numerous controls.

ATE invests heavily in security and privacy framework to ensure we meet or exceed industry standards, applicable law & regulations, and most importantly, our customer’s expectations.

Processing activities authorized by the Customer The Platform provided by ATE is an online Software-as-a-Service solution that enables event organization to create and manage online events through the various functionalities as made available by ATE, available and updated from time to time. This involves the Processing of Customer Personal Data by ATE about Data Subjects which includes: the personnel of organizers, sponsors, third parties and End Users / Attendees of such events as uploaded by the Customer into the Platform. By using the Platform/ Services as a cloud-based environment, the Customer will act as Controller of all Personal Data shared and transferred to the Platform/ Services and hereby authorizes ATE (as Processor), its Affiliates, suppliers and sub-contractors, to Process Customer Personal Data for the purpose as set out in this DPA and the MSA, and upon provision of any documented instructions to ATE from time to time. In providing the Customer and facilitating the End User/s access to/ use of the Platform in accordance with the MSA, the Customer shall remain responsible for compliance with Applicable Data Protection Laws. The details of the processing, the rights and duties of the Parties are further detailed below in this DPA and in the Standard Contractual Clauses attached and part of this DPA.

2. Execution of DPA

2.1 This Addendum (and Standard Contractual Clauses in Annexure I, if applicable) may have been pre-signed on behalf of ATE as the data importer.

2.2 To complete this Addendum, Customer must: a. Complete the information in the signature box of this DPA and have the Customer signatory sign on behalf of the Customer, Customer signatory represents to ATE that he or she has the legal authority to bind Customer and is lawfully able to enter into this DPA. b. If the DPA is being signed virtually, by way of e-signatures, then you approve to execute the DPA through any of our e-signature platforms.

3. Definitions

All capitalized terms not defined herein shall have the meaning set forth in the Agreement. For the purposes of this Addendum, the following terms shall have the following meanings:

A. “Affiliate” means any legal entity directly or indirectly controlling, controlled by or under common control with a party to the MSA, where “control” means the ownership of a majority share of the stock, equity, or voting interests of such an entity.

B. “Applicable Data Protection Laws” collectively means all data protection laws and regulations, which includes US federal and state privacy laws, EU Data Protection Laws, and any other laws pertaining to data protection in any territory of the world that may be applicable to the Processing of Personal Information (also known as “Personal Data”) under the MSA.”CCPA” means the California Consumer Privacy Act of 2018, including amendments and final regulations.

C. “Commercial Purposes,” “Sell,” have the meanings assigned to them in section 1798.140 of the CCPA.

D. “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. The definition of Controller has meaning given to it by EU Data Protection Law

E. “Customer” means the Organizer that has entered into the MSA with ATE to use/access ATE Platform to host virtual events, which term shall include its employees, independent contractors, consultants, Affiliates, successors and assigns using/ accessing the Platform/ Services.

F. “Customer Personal Data” means any Personal Data that the Customer shares with or permits ATE to access, store, host, modify, share, delete and further Process for the performance of the Services, which includes End Users/ Attendees of the Customer which is processed by ATE and /or its Affiliates under this DPA.

G. “Data Subject” means the identified or identifiable person to whom Personal Data relates.

H. “End Users” or “Attendees” means the clients and all individuals who shall, from time to time, be attending or participating in the events organized by the Customer on the Platform.

I. “EU data Protection Laws” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, including any applicable national implementations thereof; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”), as amended, replaced or superseded, as well as any other applicable data protection laws and/or regulations in force in EU Member States.

J. “Equivalent Protection Area” means the area that comprises (a) countries within the European Union, including Iceland, Liechtenstein, and Norway, and (b) countries that the European Commission may from time to time recognize as ensuring an adequate level of protection as provided for in article 45 of the GDPR, which includes Switzerland and the United Kingdom.

K. “Personnel” means the employees, agents, consultants, and contractors of Customer/ Customer’s Affiliates or ATE / ATE Affiliate, as the case may be.

L. “Personal Data” means any information relating to a Data Subject; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This includes any special categories of Personal Data defined in Art. 9 of the GDPR, data relating to criminal convictions and offenses or related security measures defined in Art. 10 of the GDPR and national security numbers defined in Art. 87 of the GDPR and national supplementing law.

M. “Processor” or “Data Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller and as instructed by the Controllers, usually for specific purposes and services accessible to the Controller.

N. “Sub-processor” means any person appointed by or on behalf of the Processor, or by or on behalf of an existing Sub-processor, to process Personal Data on behalf of the Controller, as defined in Art. 28(4) of GDPR.

O. “Standard Contractual Clauses” means the contractual clauses set out in Annex 1 to this DPA pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of Personal Data to Processors established in third party countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”), which do not ensure an adequate level of protection, and any further approved set of contractual clauses as approved by the competent authority from time to time.

P. “Security Incident” means any confirmed breach of security that leads to the accidental, or unlawful destruction, loss, alteration, use, unauthorized disclosure of or access to Personal Data.

Q. “Services” means the ATE Services as set forth in the Agreement or associated ATE order form.

R. “Transfer” means any Processing, which includes accessing, sharing, disclosing or otherwise making Personal Data available, whether by a ATE affiliate, its suppliers or the Customer, from another location than where the Processing initially occurs, which includes:

i) any transfer of Customer Personal Data from the Customer to ATE and/ or a ATE Affiliate; ii) an onward transfer of Customer Personal Data from ATE to a ATE Affiliate; or iii) an onward transfer of Customer Personal Data from ATE and/ or a ATE Affiliate to another Sub-Processor, iv) in each case, where such Transfer would be prohibited by Applicable Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of appropriate safeguards and any lawful mechanisms for such Transfers, which includes the use of Standard Contractual Clauses.

4. Applicability of DPA

4.1 Regardless of whether the applicable Agreement has terminated or expired, this Addendum will remain in effect until, and automatically expire when, Reyes Definido Solutions deletes all Customer Personal Data as described in this DPA.

5. Processing of Personal Data: Roles and Responsibilities of the Parties

If EU Data Protection Law applies to the processing of Customer Personal Data:

5.1 The subject matter and details of the processing are described in the DPA

5.2 Customer Personal Data is being processed by Reyes Definido Solutions as part of providing access and use of the Platform to the Customer and their End User/s, as further specified in the MSA.

5.3 Reyes Definido Solutions through it European affiliate is a processor of Customer Personal Data under EU Data Protection Law.

5.4 Customer is a controller or processor, as applicable, of that Customer Personal Data under EU Data Protection Law.

5.5 Customer acknowledges and agrees that any Processing under this DPA may also be carried out by any Reyes Definido Solutions Affiliate, and Reyes Definido Solutions Affiliate shall assume the obligations of Reyes Definido Solutions, in its capacity of Processor, for any such Processing under this DPA.

5.6 Each party will comply with the obligations applicable to it under EU Data Protection Law with respect to the processing of that Customer Personal Data.

5.7 If laws other than EU Data Protection Law applies to either party’s processing of Customer Personal Data, the relevant party will comply with any obligations applicable to it under that law with respect to the processing of that Customer Personal Data.

6. Details of processing and Reyes Definido Solutions’s duties as Processor of Customer Personal Data

6.1 ATE obligations

ATE shall/ may: i) only process Customer Personal Data for the purposes set forth in the MSA, DPA and only in accordance with the lawful, documented instructions of Customer (including with regard to transfers of Customer Personal Data to a third country), unless Reyes Definido Solutions is required to process Customer Personal Data by the Applicable Data Protection Laws to which Reyes Definido Solutions is subject to (in such a case, Reyes Definido Solutions shall inform the Customer of that legal requirement before processing, unless applicable law prohibits such information).

ii) only act on the Customer’s instructions, which may be specific or of a general nature as set out in this DPA or as otherwise notified by the Customer to Reyes Definido Solutions from time to time and not for Reyes Definido Solution’s own purposes.

iii) refrain from processing Customer Personal Data and notify the same to the Customer immediately, if the instruction to process Customer Personal Data by the Customer infringes with the EU Data Protection Laws.

iv) keep all Customer Personal Data Confidential, and ensure to only provide access to authorized employees, agents, suppliers, contractors, consultants and subcontractors who are authorized and have a need to access such complying with the same degree of confidentiality as under this DPA; Reyes Definido Solutions shall ensure that its relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the processing, protection and confidentiality of Customer Personal Data

v) provide, at Customer’s costs and expenses, reasonable cooperation and assistance to the Customer as set out this DPA;

vi) implement all appropriate technical, physical and organizational measures to ensure a level of security appropriate to the level of risk to Customer Personal Data as required by Applicable Data Protection Laws;

vii) complying with the terms of the MSA including, without limitation while providing access to: usage of the Platform/ Services, and for back-up and recovery, cyber security, operations, control, improvements and development of the Services/ Platform, fraud and service misuse prevention and legal and administrative proceedings;

viii) unless permitted by the Customer, not: (a) sell Personal Data, nor (b) collect, retain, use, or disclose Customer Personal Data that it has access to for any purpose other than for the specific purpose of performing the Services specified in the MSA and this DPA. Unless otherwise permitted by the Customer, Reyes Definido Solutions to shall not use any Customer Personal Data for its own commercial benefit. Except as otherwise instructed, the Customer hereby authorizes Reyes Definido Solutions to create de-identified or anonymized data for the purpose of improving the Services and the Platform and conduct analytics and reports on the use of the Platform/ Services;

ix) comply with other reasonable written instructions provided by the Customer in writing where such instructions are consistent with the terms of the MSA and comply with all Applicable Data Protection Laws.

x) process some Customer Personal Data for its own legitimate purposes, as an independent Controller, solely when the Processing is strictly necessary and proportionate, and if the Processing is for one of the following exhaustive list of purposes:

a) sales pitching and management, billing, account, and Customer relationship management (marketing communication with procurement)and related Customer correspondence (mailings about for example necessary updates);

b) complying with and resolving legal obligations under Applicable Data Protection Laws, provide services to Data Subjects located in the EU or monitors their behaviors, appoint a Representative located in the EU to enable Data Subjects to exercise their rights and make such information available to Data Subjects in an appropriate manner, other tax requirements, agreements and disputes;

xi) anonymize and/ or use aggregate data for:

c) improving and optimizing the performance and core functionalities of accessibility, privacy, security, and the IT infrastructure efficiency of Reyes Definido Solutions Services;

d) internal reporting, financial reporting, budget planning, capacity planning and building, and forecast modeling (including product strategy);

e) receiving and using Feedback for Reyes Definido Solution’s overall service improvement; and

6.2 When acting as an independent Controller, ATE will not process Customer Personal Data for any purposes other than the above list of legitimate purposes.

7. Customer Obligations

7.1 The Customer represents and warrants that it has undertaken to provide all necessary notices to End-Users and received all necessary permissions and consents, as required for Reyes Definido Solutions to Process the Customer Personal Data under this DPA and pursuant to the Applicable Data Protection Laws in their respective country and state (if applicable).

7.2 The Customer represents and warrants that it has complied with all information provision obligations under the Applicable Data Protection Laws.

7.4 Responsibilities of Customer

The Customer: i) instructs Reyes Definido Solutions and each Reyes Definido Solutions Affiliate (and authorizes Reyes Definido Solutions and each Reyes Definido Solutions Affiliate to instruct each Sub-processor) to: a) Process Customer Personal Data in a manner that is in compliance with the Applicable Data Protection Laws; and b) in particular, transfer Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the MSA;

ii) warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out in section 5.1; and

iii) warrants and represents that it has complied with Applicable Data Protection Laws in respect of any obligations that it has under Applicable Data Protection Laws with respect to it being the Controller of Customer Personal Data. The Customer further represents and warrants that it has collected the Customer Personal Data in accordance with Applicable Data Protection Laws.

7.4.1 As Customer is the Controller of Personal Data of Data Subjects, it the responsibility of the Customer to ask for consent from End Users for new types of data processing, nor shall Reyes Definido Solutions process Customer Personal Data for any “further” or “compatible” purposes (within the meaning of Articles 5(l)(b) and 6(4) GDPR) other than those specified in this DPA.

7.4.2 Customer’s instructions to Reyes Definido Solutions and each Reyes Definido Solutions Affiliate for the Processing of Customer Personal Data shall comply with Applicable Data Protection Laws. Customer shall be responsible for the Customer Personal Data and the means by which Customer acquired Customer Personal Data.

7.4.3 The Customer agrees to defend, indemnify and hold harmless Reyes Definido Solutions and/or the relevant Reyes Definido Solutions Affiliate from and against all claims, actions, third party claims, direct losses, damages and expenses incurred by Reyes Definido Solutions and/ or the relevant Reyes Definido Solutions Affiliate as a result of or in connection with the Customer’s non-compliance with the Applicable Data Protection Laws.

8. Categories of Data Subjects

The Personal Data Processed by Reyes Definido Solutions, relates to the following categories of data subjects: i) The Customer, its Affiliates and its End Users or Attendees, personnel, suppliers, agents, consultants, contractors, sub-contractors and suppliers and their personnel (which involves any authorized users of the Customer who shall operate the Account), and;

ii) End-Users authorized by the Customer to access the Platform.

8.1 Type of Personal Data: The Personal Data, Processed by ATE includes the following categories of Personal Data:

i) Customer Personal Data: this includes: – Contact, user account and login data of the organizers and its End Users and Attendees, personnel, such as first name, last name, email address, social media account ID, designation, organization, country.

ii) End-User Personal Data:

this includes event attendees, sponsors, speakers, and other third parties’ Personal Data managing and supporting the online events, including:

– contact and login details, such as name, last name, e-mail address, phone number;

– communication data, such as personal data that may be used to

– media data: this may include pictures of attendees on their account profile, videos and voice recordings as uploaded on the platform to advertise the event in a banner, and any other media that is relevant to event management and organization that may contain other media containing Personal Data.

– account data, such as job profile, Customer name, type of Customer, social media account ID, LinkedIn or Facebook profile details, and any other Personal Data that the Customer may require its End-Users to include when connecting to the Platform

8.2 Special Categories of Personal Data

Reyes Definido Solutions generally does not Process any Special Categories of Customer Personal Data for the performance of the Services unless the Customer exclusively instructs Reyes Definido Solutions to do so. If the Customer requires the Processing of any Special Categories of Data, the Customer shall ensure that such Processing is lawful and complies with all Applicable Data Protection Laws, which may include special protections of such data.

9. Rights of Data Subjects

9.1 Reyes Definido Solutions depending on the nature of processing, must provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to respond to any Data Subject rights under Applicable Data Protection Law (including its rights of access, to rectification, to erasure, to restriction, to objection, and data portability, as applicable).

9.2 If Reyes Definido Solution’s Privacy Team receives a request from a data subject that relates to Customer Personal Data, Reyes Definido Solutions will: (a) advise the data subject to submit their request to Customer; (b) notify Customer; and (c) not otherwise respond to that data subject’s request without authorization from Customer. Customer will be responsible for responding to any such request, where necessary, Reyes Definido Solutions will provide complete assistance in responding to the Data Subject requests. Reyes Definido Solutions reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance provided to Customer.

10. Cooperation and assistance

10.1 Reyes Definido Solutions will provide the Customer with commercially reasonable cooperation and assistance in relation to handling the inquiries from End Users regarding their Personal Data to the extent legally required and to the extent Customer is unable to Process such End User request through the features available on the Platform, if the Customer has requested, in writing, Reyes Definido Solution’s assistance. The Customer is liable to reimburse Reyes Definido Solutions for any costs and expenses related to the provision of such assistance.

10.2 This includes responding to inquiries from authorities and data subjects and, where applicable, to provide reasonable support to the Customer in case of data breaches and notifications to authorities and/or data subjects, with data protection impact assessments or to consult authorities.

10.3 It is clarified that Reyes Definido Solutions and/or the relevant Reyes Definido Solutions Affiliate or any of its Sub-processors shall not respond to that request except as required by Applicable Data Protection Laws to which Reyes Definido Solutions and/or the relevant Reyes Definido Solutions Affiliate or any of its Sub-processors is subject, as applicable, in which case Reyes Definido Solutions and/or the relevant Reyes Definido Solutions Affiliate shall to the extent permitted by Applicable Data Protection Laws inform Customer of that legal requirement before Reyes Definido Solutions and/or the relevant Reyes Definido Solutions Affiliate or any of its Sub-processors responds to the request.

11. Authority Of Customer to Issue Instructions Assistance in Compliance

11.1 The Customer shall issue instructions to Reyes Definido Solutions in writing/ via e-mail. Reyes Definido Solutions will duly cooperate with and make commercially reasonable efforts to assist the Customer in complying with Customer’s obligations pursuant to the Applicable Data Protection Laws, considering the nature of processing, technical and organizational feasibility, and the information available to Reyes Definido Solutions. The Customer shall reimburse costs and expenses for any cooperation and assistance services provided to the Customer in that regard.

12. ATE Personnel

12.1 Limitation of Access: Reyes Definido Solutions and each Reyes Definido Solutions Affiliate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of Reyes Definido Solutions and Reyes Definido Solutions Affiliate who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/ access the relevant Customer Personal Data, as strictly necessary for the purposes of the MSA, and to comply with Applicable Data Protection Laws in the context of that individual’s duties to Reyes Definido Solutions or Reyes Definido Solutions Affiliate, as applicable, ensuring that all such individuals are subject to required confidentiality obligations.

12.2 Confidentiality Reyes Definido Solutions shall ensure that all such Personnel are informed of the confidential nature of the Customer Personal Data and are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

12.3 Reyes Definido Solutions shall also impose required contractual obligations upon its Personnel who are engaged in the Processing of Customer Personal Data regarding obligations under Applicable Data Protection Laws and thus bind the Personnel to the same obligations that Reyes Definido Solutions has with respect to the Processing of Customer Personal Data.

13. Approved Sub-processing

13.1 Customer acknowledges, agrees and authorizes, that ATE may engage Sub Processors for certain Processing activities as required from time to time on Customer’s behalf in accordance with this section 13 and subject to any restrictions in the MSA.

13.3 ATE and each ATE Affiliate may continue to use those Sub-processors already engaged by ATE and each ATE Affiliate as at the date of this Addendum, subject to ATE and each ATE Affiliate in each case as soon as practicable meeting the obligations set out in section 14.

13.4 ATE and/or the relevant Reyes Definido Solutions Affiliate shall notify the Customer of the appointment of any new Sub-processors, including full details of the Processing to be undertaken by the Sub-processors within 30 (thirty) days of such appointment. If, within 10 (ten) days of receipt of that notice, Customer notifies ATE and/or the relevant ATE Affiliate in writing of any objections (on reasonable grounds) to the proposed appointment, ATE and/or the relevant ATE Affiliate shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-processors.

13.5 With respect to each Sub-Processor, ATE and/or the relevant ATE Affiliate shall

i) ATE shall ensure that Authorized Sub-processors have executed confidentiality agreements that prevent them from unauthorized Processing of Customer Personal Data both during and after their engagement by ATE.

ii) ensure that the arrangement between on the one hand (a) ATE, or (b) the relevant ATE Affiliate, and on the other hand the Sub-processor, is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this Addendum and meet the requirements of article 28(3) of the GDPR;

iii) if that arrangement involves a Transfer, Reyes Definido Solutions shall ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between on the one hand (a) Reyes Definido Solutions, or (b) the relevant Reyes Definido Solutions Affiliate, and on the other hand the Sub-processor, or before the Sub-processor first Processes Customer Personal Data procure that it enters into an agreement incorporating the Standard Contractual Clauses with the Customer; and

iv) provide to Customer for review such copies of Reyes Definido Solution’s or the relevant Reyes Definido Solutions Affiliate’s agreements, as applicable, with Sub-processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Customer may request from time to time.

v) Reyes Definido Solutions shall communicate the request made by the data subject regarding any data subject rights regarding their personal data in accordance with the Applicable Data Protection Law to each of its Sub-Processor to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort.

14. Reyes Definido Solutions and Affiliate’s Security Responsibilities

14.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Reyes Definido Solutions and each Affiliate shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR and equivalent provisions under the Appliable Data Protection Regulations

14.2 Reyes Definido Solutions will maintain administrative, physical and technical safeguards to ensure a level of security including the pseudonymization and encryption of Customer Personal Data and protection of the security, confidentiality, and integrity of Customer Personal Data. Reyes Definido Solutions shall monitor compliance with these safeguards and will not in any case, decrease the overall security during the Term of the MSA.

14.2 Reyes Definido Solutions shall provide for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

14.3 In assessing the appropriate level of security, Reyes Definido Solutions and each Reyes Definido Solutions Affiliate shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

14.4 Reyes Definido Solutions shall provide to the Customer at reasonable intervals (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum), the most recent version of Reyes Definido Solution’s information security policy, as Customer may request from time to time.

15. Customer’s Security Responsibilities

15.1 Without prejudice to Reyes Definido Solution’s and the relevant Reyes Definido Solutions Affiliate’s obligations under this Section (security), the Customer:

i) shall remain solely responsible for its use of the Services, including: (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; and (c) backing up the Customer Personal Data; and

ii) acknowledges that Reyes Definido Solutions and each Affiliate has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of Reyes Definido Solutions and each Affiliate’s and its Sub-processors’ systems (for example, offline or online premises storage).

15.2 For the provision of Services, Reyes Definido Solutions and its Affiliates warrant that they comply with the data protection measures required by the Applicable Data Protection Laws.

16. Supervisory Power of Customer and Audits

16.1 Upon Customer’s written request, at reasonable intervals, Reyes Definido Solutions and/or the relevant Reyes Definido Solutions Affiliate shall make available to Customer which is not a competitor of Reyes Definido Solutions, information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer, at the Customer’s cost, in relation to the Processing of the Customer Personal Data by Reyes Definido Solutions and/or the relevant Reyes Definido Solutions Affiliate and their Sub-processors, provided that such audit right is available to the Customer once yearly.

16.2 Information and audit rights of the Customer only arise under clause 16.1 to the extent that the MSA does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR).

16.3 Customer or an auditor mandated by the Customer undertaking an audit shall give Reyes Definido Solutions a notice of 30 (thirty) days prior to any audit or inspection which is to be conducted and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing any damage, injury or disruption to Reyes Definido Solution’ s premises, software, equipment, Personnel and or business while its personnel are on those premises in the course of such an audit or inspection.

16.4 It is expressly clarified that Reyes Definido Solutions and/or the relevant Reyes Definido Solutions Affiliate will not be able to provide access to the SaaS platform operated by Reyes Definido Solutions and/or the relevant Reyes Definido Solutions Affiliate or otherwise let the auditors interact with the platform.

16.5 Customer shall ensure that any such auditor as engaged by the Customer shall perform the audit in compliance with this DPA, and Applicable Data Protection Laws.

16.6 Reyes Definido Solutions, the relevant Reyes Definido Solutions Affiliate and their Sub-processors need not give access to its premises for the purposes of such an audit or inspection:

i) to any individual unless he or she produces reasonable evidence of identity and authority; or

ii) outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Customer undertaking an audit has given notice to Reyes Definido Solutions that this is the case before attendance outside those hours begins.

17. Personal Data Breach Management and Notification

Breach prevention and management

17.1 Reyes Definido Solutions will continue to maintain security incident management policies and procedures to the extent required by law and shall promptly notify Customer of any Personal Data Breach which Reyes Definido Solutions or any Sub-processor becomes aware of.

17.2 ATE shall provide the Customer with sufficient information regarding the Personal Data Breach enabling the Customer to meet any obligations to report such Personal Data Breach to any authorities or inform the End-Users of such Personal Data Breach.

Remediation

17.3 ATE will make reasonable efforts to identify and, to the extent such Personal Data Breach is caused by a violation of the requirements of this DPA by ATE, remedy the cause of such Personal Data Breach. ATE will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Laws to notify a regulatory authority or any Data Subjects of a Personal Data Breach.

17.4 ATE shall provide notification of a Personal Data Breach in the following manner:

i) ATE shall, to the extent permitted by Applicable Data Protection Laws, notify Customer without undue delay, after Reyes Definido Solution’s confirmation or reasonable suspicion of a Personal Data Breach impacting Customer Personal Data of which Reyes Definido Solutions is a Processor;

ii) Reyes Definido Solutions will notify the occurrence of the Personal Data Breach to the email address of the Customer’s Account owner.

17.5 As part of above notification, Reyes Definido Solutions shall provide:

i) A description of the nature of the Personal Data Breach including the volume and type of Customer Personal Data affected and the categories and approximate number of individuals concerned;

ii) The likely consequences of the Personal Data Breach; and

iii) A description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

18. Data Protection Impact Assessments and Prior Consultations

18.1 Reyes Definido Solutions shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with any supervisory authority or other competent data privacy authorities, which the Customer reasonably considers to be required as under article 35 or 36 of the GDPR or equivalent provisions of the Applicable Data Protection Laws , in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to Reyes Definido Solutions, Reyes Definido Solutions Affiliate, or any Subprocessor.

19. Deletion And Retention of Customer Personal Data Data Deletion

19.1 Reyes Definido Solutions shall retain the Customer Personal Data for a period of 3 (three) years from the date of termination of the MSA solely for repurposing and/or reusing the Customer Personal Data for any future events hosted by the Customer on the Platform in accordance with the terms of the MSA. Reyes Definido Solutions shall not use this data for any purpose apart from retaining it for the Customer. Post completion of the above mentioned 3 year period, Reyes Definido Solutions shall automatically delete all data provided by the Customer and procure the deletion of all copies of Customer Personal Data from its Sub-processors.

19.2 The Customer can request Reyes Definido Solutions at any point in time to delete all data by way of a written request or instruction, which shall be processed by Reyes Definido Solutions within 15 days from the receipt of such request. It shall be Customer’s exclusive responsibility to secure all necessary data/ information from the Customer’s Account prior to such deletion, including the Personal Data of End Users.

Data Retention 19.3 Copies or duplicates of the data shall never be created, except when Customer agrees that Reyes Definido Solutions may retain copies of Customer Personal Data as necessary in connection with its routine backup and archiving procedures.

19.4 Reyes Definido Solutions, Reyes Definido Solutions Affiliates and their Sub-processors may retain Customer Personal Data to the extent required by Applicable Data Protection Laws and other applicable laws and always provided that Reyes Definido Solutions, the relevant Reyes Definido Solutions Affiliate and their Sub-processors shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Data Protection Laws requiring its storage and for no other purpose.

Disclosure To Competent Authorities

19.5 ATE may disclose Customer Personal Data, (a) if required by a summon/ subpoena or other judicial or administrative order, or if otherwise required by the Applicable Data Protection Laws and other applicable laws if any.

Compliance and contact 19.6 ATE’s team is responsible to make sure that all ATE Personnel, Affiliates, and Sub-processors adhere to this DPA. You can reach out to Reyes Definido Solutions for compliance related queries at contact@africantradeexhibition.com (contact@africantradeexhibition.com).

20. Cross-border data transfers

20.1 The parties acknowledge and agree that in the event that Customer transfers Customer Personal Data to Reyes Definido Solutions and/or Reyes Definido Solutions makes routine transfers of Customer Personal Data in the normal course of business to itself or its Affiliates and/ Sub-processors, and these transfers include any Customer Personal Data wherein EU Data Protection Laws apply to, such transfers, to any countries which do not ensure an adequate level of data protection, be undertaken by Processor through one of the following mechanisms:

i) in accordance with the Swiss-U.S. and EU-U.S. Privacy Shield Framework and Principles issued by the U.S. Department of Commerce, both available at https://www.privacyshield.gov/EU-USFramework (the “Privacy Shield Principles”), or

ii) the Standard Contractual Clauses set forth in Annexure I to this Addendum. (EU Standard Contractual Clauses (Processors)

In the event that EU authorities or courts determine that the Privacy Shield is not an appropriate basis for transfers, Reyes Definido Solutions and Customer agree to promptly execute an approved EU Standard Contractual Clauses (Processors) to govern such transfers.

20.2 Where Customer permits the transfer of the Customer Personal Data outside the Equivalent Protection Area (European Union, Iceland, Lichtenstein, Norway, or the United Kingdom (the “EEA”)), the Customer shall ensure to do so based on the Standard Contractual Clauses or via any other lawful transfer mechanism. The Customer’s approval is given at the effective date in accordance with the instructions and processing activities as set out in this DPA.

20.3 To the extent that any chosen lawful mechanism provided above is no longer valid, the Customer shall implement any appropriate alternative transfer mechanism to comply with Applicable Data Protection Laws

20.4 Subject to section 20.1, the Customer (as “data exporter”) and Reyes Definido Solutions and/or the relevant Reyes Definido Solutions Affiliate and their Sub-processors, as appropriate, (as “data importer”) hereby enter into the Standard Contractual Clauses in respect of any Transfer from the Customer to Reyes Definido Solutions and/ or the relevant Reyes Definido Solutions Affiliate or their Sub-processors.

20.5 The Standard Contractual Clauses shall come into effect under section 20.1 on the later of:

(i) the data exporter becoming a party to them
(ii) the data importer becoming a party to them; or
(iii) commencement of the relevant Transfer.

20.5 Section 20.1 shall not apply to a Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Transfer to take place without breach of Applicable Data Protection Laws.

20.6 Before ATE provides its services to the Customer in accordance with the present Agreement, if the Customer concludes, based on its current or intended use of the Services, that the alternative transfer mechanism and/or Standard Contractual Clauses, as applicable, do not provide appropriate safeguards for Customer Personal Data, then Customer may immediately terminate the applicable Agreement for convenience by notifying ATE.

21. General Terms

21.1 If the Customer Personal Data with Reyes Definido Solutions is jeopardized due to attachment or confiscation, insolvency proceedings or due to other events or measures of third parties, Reyes Definido Solutions shall immediately notify (i) the Customer thereof, and (ii) all institutions or persons competent or concerned that the Customer as the Controller as defined in the Applicable Data Protection Laws holds the exclusive sovereignty over and exclusive title to the data. 21.2 Each Party shall keep a record of their processing activities. They agree to co- operate with the Data Protection Authority/ Supervisory Authority when required to do so. 21.3 Reyes Definido Solutions may designate a representative as laid down in Art 27 Paragraph 1 GDPR in the European Union, as applicable.

22. Governing law and jurisdiction

Without prejudice to the Standard Contractual Clauses: 22.1 The parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the MSA with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and

22.2 This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the MSA.

23. Order of precedence

23.1 Nothing in this Addendum reduces Reyes Definido Solution’s obligations under the MSA in relation to the protection of Personal Data or permits Reyes Definido Solutions and/ or the relevant Reyes Definido Solutions Affiliate to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the MSA. In the event of any conflict or inconsistency between the provisions of this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

23.2 In the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the MSA and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

24. Severance

24.1 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.